Internal Authentication With Radius; Authentication Procedure - Proxim Orinoco AP-2500 User Manual

AP-2500 Authentication Methods

Internal Authentication with RADIUS

In this configuration, the AP-2500 provides all of the authentication services described in
also communicates with a Remote Authentication Dial-In User Service (RADIUS) server on the network to determine if
a user is valid. RADIUS is an authentication and accounting protocol that is used by many ISPs. The RADIUS server
maintains a large central list of subscribers and their attributes (such as the maximum bandwidth allowed for a specific
customer) that it communicates back to the AP-2500. The RADIUS server can also perform accounting functions to
record a user's login activity to facilitate billing.
RADIUS is a proven carrier-class protocol to perform accurate time and volume-based billing. The RADIUS protocols
are defined in RFCs 2865 (Authentication) and 2866 (Accounting). These RFCs are available at
http://www.rfc-editor.org/.
NOTE: In RADIUS terminology, the AP is referred to as a RADIUS Client or as a Network Access Server (NAS).

Authentication Procedure

The following diagram illustrates how a client is authenticated when the AP's RADIUS client is enabled.
Figure 3-3 Internal Authentication with RADIUS
1. Client connects to AP and launches Web browser. The AP adds the client to its
State set to "Pending".
2. AP redirects client to the AP's internal login page or to a
• The AP redirects the customer when it receives an HTTP request from the customer's browser.
• If the browser's default home page is loaded in the browser's cache, the customer may not be redirected to
the login screen. But the customer will be redirected the first time he tries to access a new Web site.
• The customer must try to access a valid Web site to call up the login screen. Entering an unreachable URL or
invalid Web address will not bring up the login screen.
• Customers who try to access e-mail first will not have a connection. Customers need to login via a Web
browser first.
3. Client sends AP its login credentials (User name/password or MAC address).
4. AP checks its Authorized Subscribers
the RADIUS server.
5. The RADIUS server authenticates the user based on the client's login credentials and notifies AP of successful
authentication.
6. AP changes the client's State to "Valid" in its
Web page or to the site specified by Home Page Redirection settings.
7. AP sends an accounting "start" message to the RADIUS server.
• This assumes that RADIUS accounting is enabled.
• Note that you can use the same server for RADIUS authentication and accounting or two different RADIUS
servers: one for authentication and one for accounting).
Portal Page.
Table. If the client is not listed, the AP forwards the authentication request to
Current Subscribers Table
Internal Authentication, but it
Current Subscribers Table
and redirects the client to the requested
with
51